Yang, BongYeol (xeraph)
Yang, BongYeol (xeraph)
@WWIJP Potentially vulnerable message starts with `[?]`. You can identify potentially vulnerable output like this: ``` # ./log4j2-scan --scan-log4j1 t |grep ^\\[?\\] [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /path/to/log4j-1.1.3.jar,...
@WWIJP Start of the line classifies vulnerable or potentially vulnerable. End of the line specifies it is mitigated or not. It can be combinated like this: * `[*] Found CVE_CODE...
@WWIJP Maybe that is the file from cloudera. You can compress hive-warehouse-connector-assembly-1.0.0.7.1.5.0-257.jar to zip file and upload here (drag file and drop it to comment input area). You can also...
@Jwalker107 Mitigated flag means `--fix` target doesn't exist. https://github.com/logpresso/CVE-2021-44228-Scanner/blob/46200101ea784dd176b3e4a04548a82ccd01e628/src/main/java/com/logpresso/scanner/Detector.java#L239-L240 Specific to 2.16.0 output, it's a little bit confusing as you said: * VULNERABLE means JAR has CVE-2021-45105 vulnerability and JndiLookup.class...
JSON report contains log4j2-scan version. You can transform JSON report to CSV file as you need. Otherwise, fork and build your own version :D
It is supported since v2.4.0 https://github.com/logpresso/CVE-2021-44228-Scanner/commit/639e5b0ba704548e8382d7970aa816fa2f543653#diff-946cf8c2730e2f7f3b309a41f646d2abc99462fe45d56f431f95708be6069d22R162 anyway, I'll add scanner version column to the csv report file in the next release..
@koppenho That is weird. If you are using log4j2-scan.*exe*, it does not use java on system. (it is self-executable image). Moreover, log4j2-scan is based on JDK7 (it cannot run on...
@arathai Thank you for your contribution :D BTW, there are too many diff due to code convention changes. Would you revert that and minimize changes?
@thl-cmk You are right. Current version only excludes directories for maximum scan speed. If scanner tries to exclude also files, it should match all files (millions of..) and performance will...
Maybe another option should be added for that.. Exact full path match is relatively cheap (can use hash code), but current option uses prefix match for directory matching.. (comparison count...